--- # Resolve initramfs generator and TPM2 unlock method. # Sets _initramfs_generator and _tpm2_method facts. # # Generator detection: derived from the platform's initramfs_cmd # (dracut → dracut, mkinitcpio → mkinitcpio, else → initramfs-tools) # TPM2 method: systemd-cryptenroll when generator supports tpm2-device, # clevis fallback otherwise. Non-native dracut installed automatically. - name: Resolve initramfs generator vars: _user_generator: "{{ system_cfg.features.initramfs.generator | default('') }}" _native_generator: >- {{ 'dracut' if _configuration_platform.initramfs_cmd is search('dracut') else ('mkinitcpio' if _configuration_platform.initramfs_cmd is search('mkinitcpio') else 'initramfs-tools') }} ansible.builtin.set_fact: _initramfs_generator: >- {{ _user_generator if _user_generator | length > 0 else _native_generator }} _initramfs_native_generator: "{{ _native_generator }}" # --- Install non-native dracut if overridden or needed --- - name: Install dracut in chroot when not native when: - _initramfs_generator == 'dracut' - _initramfs_native_generator != 'dracut' ansible.builtin.shell: >- {{ chroot_command }} sh -c ' command -v apt >/dev/null 2>&1 && apt install -y dracut || command -v pacman >/dev/null 2>&1 && pacman -S --noconfirm dracut || command -v dnf >/dev/null 2>&1 && dnf install -y dracut ' register: _dracut_install_result changed_when: _dracut_install_result.rc == 0 failed_when: false - name: Override initramfs command to dracut when: - _initramfs_generator == 'dracut' - _initramfs_native_generator != 'dracut' vars: # Generate dracut initramfs with output name matching what GRUB expects: # mkinitcpio native: /boot/initramfs-linux.img (Arch convention) # initramfs-tools native: /boot/initrd.img- (Debian convention) _dracut_cmd: >- {{ 'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initramfs-linux.img $kver; done"' if _initramfs_native_generator == 'mkinitcpio' else 'bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done"' }} ansible.builtin.set_fact: _configuration_platform: >- {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }} # --- TPM2 method detection --- - name: Probe dracut for TPM2 module support when: - configuration_luks_auto_method == 'tpm2' - _initramfs_generator != 'mkinitcpio' ansible.builtin.command: "{{ chroot_command }} dracut --list-modules" register: _dracut_modules_check changed_when: false failed_when: false - name: Resolve TPM2 unlock method when: configuration_luks_auto_method == 'tpm2' vars: # mkinitcpio sd-encrypt supports tpm2-device natively # dracut with tpm2-tss module supports tpm2-device natively # everything else needs clevis _supports_tpm2_native: >- {{ _initramfs_generator == 'mkinitcpio' or ('tpm2-tss' in (_dracut_modules_check.stdout | default(''))) }} ansible.builtin.set_fact: _tpm2_method: "{{ 'systemd-cryptenroll' if _supports_tpm2_native | bool else 'clevis' }}" # --- Auto-upgrade to dracut when tpm2-tss available but generator isn't dracut --- - name: Switch to dracut for TPM2 support when: - configuration_luks_auto_method == 'tpm2' - _tpm2_method == 'systemd-cryptenroll' - _initramfs_generator not in ['dracut', 'mkinitcpio'] vars: _dracut_cmd: >- bash -c "for kver in /lib/modules/*/; do kver=$(basename $kver); dracut --force /boot/initrd.img-$kver $kver; done" ansible.builtin.set_fact: _initramfs_generator: dracut _configuration_platform: >- {{ _configuration_platform | combine({'initramfs_cmd': _dracut_cmd}) }} - name: Report TPM2 configuration when: configuration_luks_auto_method == 'tpm2' ansible.builtin.debug: msg: "TPM2 unlock: {{ _tpm2_method | default('none') }} | initramfs: {{ _initramfs_generator }}"